Memory buildup after updating to NMAS

  • 7004809
  • 05-Nov-2009
  • 26-Apr-2012


Novell eDirectory 8.8.5 FTF 1 for All Platforms
Novell Modular Authentication Service (NMAS) version


After upgrading to NMAS, dhost or ndsd processes or nmas.nlm  regularly grow in memory consumption and lead to frequent hangs and abends/crashes.


To determine if you are being affected by this particular issue, determine first if your system has users with large value counts for the pwdFailureTime attribute. To do so, go to iMonitor, Reports, Report Config, Value Count, enter 5000 in the Max Value Count field and run the report.

If one or many users display a high value count for pwdFailureTime attribute, then you could be affected by this issue. The more values the attribute has, the bigger the risk of a memory buildup that could cause the server to crash before the attributes are cleaned up by the server.

In order to prevent the attribute from building up, it's possible to disable the feature that updates this attribute. This can be done on a per user basis (a schema update is necessary), by setting the attribute sasUpdateLoginInfo to 1. It can also be set for the whole server by adding a value of LoginInfo to 1 on server startup. For more information on how to do this follow the instructions on:
Once the update of pwdFailureTime has been disabled, it is possible to clean up the values manually with dsrepair and the -sx switch. The -sx switch will delete all values for a particular attribute. Since eDirectory 8.8.5 FTF 1, the deletion will synchronize to other replicas. This switch should be used with extreme caution!

Since only a few users are normally affected by this, it's possible to clean up only those users with a single object repair. On Linux/Solaris the command would be:
ndsrepair -J<entryID> -Ad -sx "pwdFailureTime"

For Netware and Windows the single object repair switch is different:
dsrepair -SO<entryID> -sx "pwdFailureTime"

Additional Information

NMAS introduces a feature that will limit the amount of values stored in the attribute pwdFailureTime on respective user objects. In previous versions of NMAS, this attribute is intended to incrementally count every failed login until a successful login. A successful login would clear the list of failed logins. NMAS restricts the number of values for this attribute to a maximum of 100 and deletes all the older values on the next login.

If some users have a very large amount of values in the pwdFailureTime, for example due to a script running with invalid credentials, it is possible to cause a race condition which will cause that this large list to be read into memory for each login attempt. Depending on the amount of values and the frequency of the logins, the server may eventually run out of memory.